New Ransomware Attack Used Leaked NSA Exploits to Hit NHS

Organizations across the world have been hit by another wave of ransomware, with targets mostly concentrated in Europe and Asia. One of the most prominent targets is the UK’s National Health Service (NHS), which has caused many clinics and offices to shut down their computers and phones as officials work to resolve the problems. As with all ransomware attacks, the only surefire ways to resolve the issue are to either pay the ransom or hope you have a backup.

The nefarious software now spreading across the globe is known as WanaCrypt0r 2.0 (also known as Wanna, Wannacry, or Wcry). Like other forms of ransomware, WanaCrypt0r begins encrypting files on a computer when it is installed. Once all the important files are locked up tight, it pops up a warning to the user. The level of sophistication varies here, but WanaCrypt0r looks to be one of the more clever. It informs the victim their files are locked, but can be restored. It even offers to decrypt some files free of charge to prove it can be done. After that, you have to pay $ 300 in Bitcoin to get the decryption key. WanaCrypt0r threatens to double the price after three days if the ransom is not paid. After a week, the files will be deleted permanently.

Security researchers estimate that Russian computers are by far the most affected, but the NHS seems to be the most high-profile target. Spanish telco Telefónica has also been hit hard. The BBC reports that around 25 NHS facilities were hit by the attack, and this is in addition to numerous smaller GP offices. The UK’s National Cyber Security Centre is working with NHS to ensure patient information is not lost. The NHS notes the ransomware was not specifically targeted at its computers, but the nature of this piece of software means it can spread rapidly.

The Eternalblue exploit in action.

WanaCrypt0r appears to make use of an exploit known as Eternalblue from a recent leak of NSA documents. This vulnerability is present on any Windows version from XP through Server 2012. The malware authors combined Eternalblue with a self-replicating payload, allowing WanaCrypt0r to operate as a worm. It can move from one machine to another on a network without being installed manually by users.

This ransomware still needs to get into a network once to spread, so it’s important that all computers are updated and people aren’t clicking on suspicious links. There’s a patch from Microsoft, released in March of this year, that will block Eternalblue. It’s a good idea to install that on older PCs, but WanaCrypt0r may still have other methods of infecting systems.